Attacks on Ukrainian Power Providers Hold Lessons for the Future

Power companies are the No. 2 target of attacks, with about 16 percent of attacks focused on energy firms, according to the ICS-CERT report. Ninety-seven of nearly 300 incidents reported in 2015 targeted critical-manufacturing firms, 8 percent targeted companies responsible for water and another 8 percent focused on transportation-system providers.
Yet the demonstration of a successful attack on power companies may embolden attackers, Lee said. "Is this possible in the U.S.? Absolutely," he said. "BlackEnergy has already targeted power companies in the U.S. However, the impact would have been different because we have a more hardened grid and a more secure system."
Yet while blacking out U.S. regions would be more difficult for attackers, recovering from a blackout would be more difficult for the defenders because the responsibility for the U.S. power grid is distributed among many companies, he said.
2. Wiper malware increasingly used to hide tracks

Companies should also be ready for increasingly damaging malware. The attackers targeting Ukrainian power companies used a module of BlackEnergy, known as KillDisk, to delete data and crash infected systems.

While such a destructive tactic is not new—attacks against oil and gas firms Saudi Aramco and RasGas, as well as South Korean banks and Sony Pictures, employed wiper capabilities—the use of the functionality against a critical infrastructure provider marks an escalation, said Trend Micro's Cabrera.
"This is definitely a milestone, unfortunately, in the use of destructive malware in an attack on critical infrastructure," he said. "It highlights a concern that everyone in critical infrastructure should have around what we are doing to protect ourselves."
3. Telephone DDoS attacks hinder response
The use of telephone-based denial-of-service attacks against call centers is another trend that will likely become a standard tactic in the future. The technique, often used against victims of financial-account takeovers, can delay the detection of an attack, said the SANS Institute's Lee.
"The interesting thing about the attack on the call center is that, as an operator of an electric grid, there are two ways to know the power is out," he said. "Your SCADA [supervisory control and data acquisition] system is telling you so, or the customers are calling in. Since they did not have access to SCADA systems, they had to rely on customers, but the attackers interfered with that."
While previous international attacks have largely gone unpunished, that needs to come to an end, Lee added.
"We cannot allow the targeting of civilian infrastructure for any reason," he said. "It should be completely out of bounds, and something has to be done about it."